| From: | Thomas Kellerer <shammat(at)gmx(dot)net> |
|---|---|
| To: | pgsql-sql(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Pragma autonomous transactions in Postgres/ Certification based authentication in DB Links |
| Date: | 2021-12-17 17:07:29 |
| Message-ID: | b1c37523-c7ec-1643-4958-e7c8f400e3a8@gmx.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
Tom Lane schrieb am 17.12.2021 um 17:27:
> No, that won't help. Like postgres_fdw, dblink will only let you use
> non-password auth methods if you're superuser [1][2]. The problem is
> that making use of any credentials stored in the server's filesystem
> amounts to impersonating the OS user that's running the server. It'd
> be nice to find a less confining solution, but I'm not sure what one
> would look like.
>
> Maybe "use server's FDW credentials" could be associated with a
> grantable role? That's still an awfully coarse-grained approach
> though. I thought for a moment about putting an SSL cert right
> into the connection string; but you'd have to put the SSL private
> key in there too, making it just as much of a security problem as
> putting a password there (but about 100 times more verbose :-().
What about using a .pgpass file?
We use that to hide the password for FDW connections on the SQL level.
Regards
Thomas
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Steve Midgley | 2021-12-17 17:13:26 | Re: Pragma autonomous transactions in Postgres/ Certification based authentication in DB Links |
| Previous Message | Tom Lane | 2021-12-17 17:04:33 | Re: Pragma autonomous transactions in Postgres/ Certification based authentication in DB Links |